perl-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <>
Subject Re: Cross-site scripting vulnerability in Apache::Util
Date Thu, 24 Jan 2002 18:54:28 GMT
Geoffrey Young wrote:

>>However I'm not sure your patch does the right thing re UTF-8, unless there's
>>some magic involved that I'm not seeing :-/ I'm no expert on how to deal with
>>UTF-8 in C (or even in Perl) but it looks like you're only addressing 8bit
> ok, after some to and fro with robin over on #modperl it looks like we discovered a few
> things...
> first, Apache::Util is not UTF-8 compliant, since it currently mangles C strings
> byte-by-byte, which introduces the possibility that all or part of a 2-byte character
> could be mangled.
> second, the patch follows suit and expands the range of 1-byte characters it mangles,
> which makes it more non-UTF-8 friendly.
> so, basically what we're thinking is that the new Apache::Util is more secure for
> non-UTF-8 encodings, while more broken for UTF-8.  but UTF-8 is unusable with Apache::Util
> in either case, so the patch is probably a good thing.
> other ideas/eyeballs are welcome here, since we've just been going over the spec and
> making some conjectures - neither of us is an expert here by any means.
> once other people chime in, we can whip up a doc patch for Apache::Util as well.

Since Apache::Util wasn't ported to mod_perl 2.0 and I was thinking to 
do that at some point. So we can work on the Apache::Util for 2.0 and 
then backport it to 1.x. Sounds like a more promising scenario.

So what spec are you working with?

Can we just reap the functionality from some Perl core module in 
bleadperl that does it right?

Stas Bekman             JAm_pH      --   Just Another mod_perl Hacker      mod_perl Guide

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message